begin quoting Andrew Lentvorski as of Sat, Jan 13, 2007 at 04:01:10PM -0800: > I was looking through my logs today at all of the weird connection > attempts and I got to thinking. > > Right now, I have a daemon which bans things which attempt to log into > my system too many times. That's fine, but it doesn't really do much. > > I am thinking that I might ban *anything* for 30 days which attempts to > connect to any port on which I don't have anything running. > > Is there any reason *not* to do this? We're not talking about a > development machine; this is just my mail server.
Only in the danger of a denial-of-service attack sense. Someone playing silly buggers with spoofing IP addresses or feeding bogus information to an FTP server can cause some other (valid) machine to lock itself out. This might also block those trying to send mail from machines with dynamic addresses, if they happen to pick up an IP address used by someone who rattled your doorknob. Obviously, make a whitelist, so a typo when typing nmap or wget doesn't lock your machines out... Otherwise, I'd say give it a try, and see what happens. (Maybe exclude common "public service" ports, like ident, finger, http, https, ftp, etc. that people try if they get what seems to be a spam from your domain.) -- Almost any sort of automated policy can be turned into a DoS attack. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
